Reversing & malware analysis training part 4 assembly programming basics

Disclaimer
The Content, Demonstration, Source Code and Programs presented here is "AS IS"
without any warranty or conditions of any kind. Also the views/ideas/knowledge
expressed here are solely of the trainer’s only and nothing to do with the company or
the organization in which the trainer is currently working.
However in no circumstances neither the trainer nor SecurityXploded is responsible for
any damage or loss caused due to use or misuse of the information presented here.
www.SecurityXploded.com

Acknowledgement
 Special thanks to null & Garage4Hackers community for their extended support and
cooperation.
 Thanks to all the Trainers who have devoted their precious time and countless hours to
make it happen.

Reversing & Malware Analysis Training
This presentation is part of our Reverse Engineering & Malware Analysis Training
program. Currently it is delivered only during our local meet for FREE of cost.
For complete details of this course, visit our Security Training page.

Who am I #1
Amit Malik (sometimes DouBle_Zer0,DZZ)
 Member SecurityXploded
 Security Researcher @ McAfee Labs
 RE, Exploit Analysis/Development, Malware Analysis
 Email: m.amit30@gmail.com

Who am I #2
Swapnil Pathak
 Member SecurityXploded
 Security Researcher @ McAfee Labs
 RE, Malware Analysis, Network Security
 Email: swapnilpathak101@gmail.com

Course Q&A
 Keep yourself up to date with latest security news
 http://www.securityphresh.com
 For Q&A, join our mailing list.
 http://groups.google.com/group/securityxploded

Presentation Outline
 Intro to x86-32
 AssemblyLanguage
 Instructions
 Stack Operations
 Callingconventions
 Demo

x86-32
 32 bit instruction set architecturesbased on Intel 8086 CPU
 Addressa linear address spaceup to 4GB
 8, 32 bit General PurposeRegisters(GPR)
 6,16 bit Segment Registers
 EFLAGS and EIP register
 ControlRegisters(CR0-CR4)(16 bits)
 Memory ManagementRegistersDescriptorTableRegisters (GDTR, IDTR,
LDTR)
 Debug Registers ( DR0-DR7)

Registers Usage - RE
 Register
 StorageLocations.
 Much fasteraccess compareto memory locations.
 EAX: Accumulator, mostly storesreturn values fromfunctions(APIs)
 EBX: Base index (for use with arrays)
 ECX: Counter
 EDX: Data/general
 ESI: Sourceindex for string operations.

Registers Usage – RE Cont.
 EDI: Destination index forstring operations.
 ESP: Stack pointerfortop address of the stack.
 EBP: Stack base pointerforholding theaddress of the current stack frame.
 EIP: Instructionpointer.Holds the programcounter, thenext instruction address.
 Segment registers:
 Used to address particularsegments ofmemory ( code, data, stack )
!) CS: Code !!) SS: Stack
!!!) ES: Extra !V) DS: Data V) FS, GS

Registers – 32 bit (X86)

(R/E)Flags Register
 Bit field of states
 Status Flags
 Carrry (CF) : set when an arithmetic carry/borrow has been generated out of the
MSB.
 Zero (ZF) : set when an arithmetic operation result is zero and reset otherwise.
 Sign (SF) : set when an arithmetic operation set the MSB i.e. the result value was
negative.
 Trap (TF ) : when set permits operation of processor in single-step. Mostly used by
debuggers.
 Interrupt (IF) : determines whether the CPU should handle maskable hardware
interrupts.
 Direction (DF) : determines the direction (left-to-right or right-to-left) of string
processing.
 Overflow (OF) : indicates arithmetic overflow.

Assembly Language
 Low level programming language
 Symbolicrepresentationof machinecodes, constants.
 Assemblylanguageprogramconsist ofsequenceof process instructions and meta
statements
 Assemblertranslates themto executableinstructionsthat are loaded into memory and
executed.
 BasicStructure
[label]: opcode operand1,operand2
opcode – mnemonicthat symbolizeinstructions
 Example.
 MOV AL, 61h => 1011000001100001

Instructions
ADD dst, src
- Adds thevalues of src and dst and stores the result into dst.
- For exampleADD EAX, 1
SUB dst, src
- Subtractssrcvalue from dst and stores the result in dst.
- For exampleSUB EAX, 1
CMPdst, src
- Subtractssrcvalue from dst but does storethe result in dst
- Mostlyused to set/reset decisionmaking bits in EFLAGS registersuch as ZF
- For exampleCMP EAX, EBX

Instructions cont.
MOV dst, src
- Moves datafrom src (left operand)to destination(right operand)
- For examplemov EDI, ESI
Note:
- Both operands cannotbe memory locations.
- Both the operands must be of the same size
LEAdst, src
- Stands forLoad EffectiveAddress.
- Computestheeffectiveaddress of src operand and stores it in dst operand.
- For exampleLEA ECX,[EBX + 5]
Note:
- Generally bracketsdenotevalueat memory locations.
- In case of LEA it does simplearithmeticand stores it in dst

Instructions cont.
XOR dst, src
- Performs a bitwiseexclusiveORoperation on the dst and src and stores the
result in dst.
- Each bit of the result is 1 if the correspondingbits ofthe operands are different,
0 if the correspondingbit are same
Note:
- When used with same register clears the contents ofthe register
- Optimizedway to clear the register. Betterthan MOV EAX, 0

Instructions cont.
REP
- Used with string operations
- Repeats a string instructionuntil ECX (counterregister)valueis equal to zero.
- For exampleREPMOVS byte ptr DS:[EDI], DS:[ESI]
LOOP
- Similarto loops in high level languages
- Used to executesequenceof instructionsmultipletimes.
- For example
MOV ECX, 10
Test : INC EBX
INC EAX
LOOP Test

Instructions cont.
TEST dst, src
- Performs bitwiselogicaland between dst and src
- UpdatestheZero flag bit of the EFLAGS register
- Mostlyused to check if the return valueof the function is not zero
- For exampleTEST EAX, EAX
INT3h
- Breakpointinstruction
- Used by debuggersto stop execution ofthe programat particularinstruction

Instructions cont.
CALLaddress
- Performs two functions
- Push address of the next instructionon stack (return address)
- Jump to the address specifiedby the instruction
- For exampleCALL dword ptr [EAX+4]
RET
- Transfers thecontrol to the address previously pushedon the stack by CALL
instruction
- Mostlydenotestheend of the function

Instructions cont.
Jump instructions
- Categorized as conditional and unconditional
- Unconditionaljump instructions
- JMP(Far Jump) – E9 – (Cross segments)
- JMP( Short Jump ) – EB – (-127 to 128 bytes)
- JMP( Near Jump ) – E9 – (in a segment)
- For exampleJMPEAX
- Conditional jump instructions
- Jumps according to bit flags set in the EFLAGS register
- JC, JNC, JZ, JNZ, JS, JNS, JO, JNO
- UnsignedcomparisonsJA, JAE, JB, JBE
- Signed comparisonsJG, JGE, JL, JLE
- Usually followedby CMP instruction

Instructions cont.
PUSH operand
- Pushes operandon the stack
- Decrementsthestack pointerregisterby operand size
- For examplePUSH EAX
POP operand
- Stores thevalue pointedby the stack pointerin operand
- Incrementsthestack pointerregisterby operand size
- For examplePOPEAX
Note: POP/PUSHEIPis an invalid instruction
PUSHF, POPF

Calling Conventions
 Describeshow thearguments are passed and values returned by functions.
 Steps performed when a functionis called
 Arguments are passed to the called function
 Program execution is transferred to the address of the called function
 Called function starts with lines of code that prepare stack and registers for use within the function.Also
known as function prologue.
○ For e.g.
push ebp
mov ebp, esp
or with enter instruction
 Called function ends with lines of code that restore stack and registers set initially. Also known as function
epilogue.
○ For e.g.
mov esp, ebp
pop ebp
ret
or with leave instruction
 Passed arguments are removed from the stack, known as stack cleanup. Can be performed by both calling
function or called function depending on the calling convention used.

Calling conventions cont.
 __cdecl (C calling convention)
 Arguments are passed from right to left and placed on the stack
 Stack cleanup is performed by the caller
 Return values are stored in EAX register
 Standard calling convention used by C compilers
 __stdcall(Standardcallingconvention)
 Arguments are passed from right to left and placed on the stack
 Stack cleanup is performed by the called function
 Return values are stored in EAX register
 Standard calling convention for Microsoft Win32 API
 __fastcall(Fast calling convention)
 Arguments passed are stored in registers for faster access
 Thiscall
 Arguments are passed from right to left and placed on the stack. this pointer placed in ECX
- Standard calling convention for calling member functions of C++ classeswww.SecurityXploded.com

Stack operations
 Stack is a LIFO (Last In First Out) typedata structure
 Stacks grows downward in memory, from highermemory address to lower
memory address
 PUSH decrement the stack pointer i.eESP
 POPIncrement thestack pointer i.e ESP
 Eachfunction has its own stack frame
 Function prologuesetup thestack frame for each function
 Local variableof a functionare storedinto its stack frame

Stack #1

Stack #2

 Each function creates its own stack.
 Callerfunctionstack: knownas parent stack.
 Called function stack:known as child stack.
For e.g.
main(){ ASMPseudo:
sum(); _main:
} 123: push ebp
124: mov ebp,esp
125: sub esp,val
126: call _sum
127: mov esp,ebp
128: pop ebp
129: ret
* The parentand child notation is theinstructor notation, technically it shouldbecaller and callee stack frames.
Stack #3

Stack #4

Stack #5

Stack #6

DEMO (Source Code)
 #include <stdio.h>
 /*
 Author:Amit Malik
 http://www.securityxploded.com - Compile in Dev C++
 */
 int mysum(int,int);
 int main()
 {
 int a,b,s;
 a = 5;
 b = 6;
 s = mysum(a,b); // call mysum function
 printf("sum is: %d",s);
 getchar();
 }
 int mysum(int l, int m) // mysum function
 {
 int c;
 c = l + m;
 return c;
 }

DEMO (Video)
http://vimeo.com/36198403

x86-64 Intro.
 64 bit instruction set architecturesbased on Intel 8086 CPU
 Addressa linear address spaceup to 16TB
 16, 64 bit General PurposeRegisters(GPR)
 6, 16 bit Segment Registers
 RFLAGS and RIP register
 ControlRegisters(CR0-CR4) and CR8 (16 bits)
 Memory ManagementRegisters DescriptorTableRegisters(GDTR, IDTR,
LDTR)size expanded to 10 bytes
 Debug Registers ( DR0-DR7)

Reference
 Complete Reference Guide for Reversing & Malware Analysis Training

Thank You !

Reversing & malware analysis training part 4 assembly programming basics

More Related Content

What's hot (20)

Similar to Reversing & malware analysis training part 4 assembly programming basics (20)

More from Abdulrahman Bassam (12)

Recently uploaded (20)

Reversing & malware analysis training part 4 assembly programming basics